> maybe have a look at cfengine?
> or apt-cache search / freshmeat / google for other options
I was down this road just a few months ago. cfengine is nice except
that the author doesn't believe that 'administrative information' is
something that should be protected and thus has no plans to move from
rsh to an SSH tunnel or SSL. Imagine syncing /etc/shadow or some other
information that should be kept secret over RSH. Yuck.
Beyond cfengine, there are a couple of tools out there although I
never really grew to like any of them. There is one called PiKT and
another called Palantir. Palantir is sorta like SourceForge in that it
has a lot of hard-coded stuff that makes it very difficult to get
working in an environment other than the one it is developed in. The
PiKT author gave a presentation at LISA 2000 and seems to be actively
hacking on the project. I never really liked his custom scripting
language though so...
I ended up taking much the same approach that you offer except that my
private keys are kept offsite and behind a very tight
firewall. Whenever a change needs to be made I have to write a script
and put it in a globally accessible NFS share. I then use the machine behind
the firewall to iterate through the address space of the target
machines using ssh-agent and with a command line something like:
$ ssh -l root '<path to update script>'
It works but is very kludgey.
There is a commercial software package called NetShell that will do a
lot of the remote admin kind of tasks but I have not had a chance to
purchase a copy and try it out. Regardless, it is non-free. I am
mostly interested in NetShell as another data point regarding how
these kind of problems can be solved.
--
---
Nathan Valentine - nathan@uky.edu
University of Kentucky Lab for Advanced Networking
Jabber: NRVesKY AIM: NRVesKY ICQ: 39023424